The Blackmoon Trojan Framework

Blackmoon (also known as KRBanker) is a banking trojan that was first detected in 2014. Its purpose is to steal financial account login credentials using a man in the browser attack. The perpetrators then impersonate legitimate users to conduct fraudulent transactions with banks or a variety of wealth management, investment, retirement, etc. services(1). In this way, Blackmoon victimizes both consumers and businesses when the campaign is successful. South Korea is currently a primary target.

The latest version of Blackmoon uses a new multi-phase framework to evade current detection and facilitate more effective program modifications in its victims.

Referred to as the Blackmoon Downloader Framework(1), it consists of three stages or modules which are designed to work in unison.

Stage 1-Dropper

Blackmoon propagates via a dropper commonly delivered via adware, phishing, or in some cases exploit kits. Upon execution the dropper code spawns multiple processes, of which each is necessary to ensure a successful infection. During the first stage, a browser vulnerability is exploited to request/receive bytecode to initiate stage 2.

Stage 2-Downloader

The second stage runs bytecode. Its purpose is to expand the malware's functionality and resolve any functions it needs. It then decodes an onboard blob of data with a single byte XOR. This contains the URL for the next download, from which the malware retrieves an EXE file typically masked as a JPG file to avoid detection.

Stage 3-EXE

The framework’s final stage uses a Base64 string encoding technique to mask operations. This obfuscation hides decoding of the Command and Control (C2) IP addresses used for bot check-in, downloading of the EXE payload, and its execution. This stage results in a victim’s browser being redirected to a compromised website, similar to the one shown in figure 1. After a user attempts to authenticate, their login credentials are harvested and redirected to the threat actors.